Authenticated users sending from blacklisted IP's

Similar Messages

• Retrieve authenticated user name from environment

  Hi All,
  I'm connecting to Oracle from C++ using OCCI API. At the same time, the database authentication is based on secure Oracle Wallet feature.
  conn = env->createConnection("","",connection_string);
  Now, after I've created connection can I retrieve user name from the environment or connection object without querying database?
  Thank you.

  Hi Patrick,
  I'm just trying your code example in Eclipse but it gives me plenty of errors so I guess I'm not importing the right libraries or so.
  My goal was to write just a simple response.write of the userID stored in the cookie...
  The first error appears in the "ticket.setCertificates(this.certificates);" line, saying that "certificates cannot be resolved"..
  Here's what I used :
  import com.sapportals.portal.prt.component.*;
  import com.sap.security.*;
  public class cookie extends AbstractPortalComponent
      public void doContent(IPortalComponentRequest request, IPortalComponentResponse response)
            try
            com.sap.security.core.ticket.imp.Ticket ticket = new com.sap.security.core.ticket.imp.Ticket();
            ticket.setCertificates(this.certificates);
            ticket.setTicket(base64Value);
            String vali = ticket.toString();
            ticket.verify();
            if (ticket.isValid())
            info = new SAPTicketInfo(ticket.getUser(),ticket.getSystemID(),ticket.getSystemClient(),ticket.getExpirationDate(),ticket.getCodepage());
            response.write (info);
            else
            throw new TicketVerifierException("Ticket is invalid ");
            catch (Exception ex)
            throw new TicketVerifierException("Error in verifying ticket "+ex.getMessage(),ex);
  What am I missing ?

• Weblogic on Unix, authenticating users/groups from NT domain controller

  Hi!
  Our weblogic 6.1 server will eventually run on a non-windows platform, but
  needs to authenticate users from a Windows NT 4.0 domain controller. What's
  the best solution to this?
  - What (inexpensive) LDAP-servers supports synchronization with a Windows
  domain controller?
  - Or am I missing out on other ways of doing this?
  jan henrik

  Yes. Other instrinsic jobs are failed too. Does this related to Job Dispatcher service? Thank you for your help.

• Get authenticated user name (HTTP basic auth)

  Hi.
  How can I get the authenticated user name from a BPEL process when the service is protected with HTTP basic auth?
  I'm running SOA Suite 11.1.1.5.
  Thanks in advance.
  Mick

  Doh! Ok So I've added a SOAP Handler to automatically add the username and password for the HTTP Basic Auth.
  All in all does this setup sound right?

• Getting mail authentication errors for outlook user sending mail

  When Outlook 2010 user attempts to use port 587 to send mail (to himself at this point), we see the following in the server logs:
  (User in question can attach to file shares on the same server just fine from his Windows laptop)
  Outlook config for outbound server is "port: 587, encryption TLS"
  When we connect, we get "connection interrupted by server"
  Tried other encryption methods - outlook 2010 states that server does not support the other methods (None, SSL)
  SMTPD Logs
  Jul 29 22:22:58 <servername>.l-n-l.com postfix/smtpd[2306]: connect from <Outlook Client Name>[<Outlook ClientAddr>]
  Jul 29 22:22:58 <servername>.l-n-l.com postfix/smtpd[2306]: error: validate response: error: Authentication server failed to complete the requested operation.
  Jul 29 22:22:58 <servername>.l-n-l.com postfix/smtpd[2306]: error: validate response: authentication failed for user=colin (method=DIGEST-MD5)
  Jul 29 22:22:58 <servername>.l-n-l.com postfix/master[1407]: warning: process /usr/libexec/postfix/smtpd pid 2306 killed by signal 6
  Jul 29 22:22:58 <servername>.l-n-l.com postfix/master[1407]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling
  Jul 29 22:24:12 <servername>.l-n-l.com postfix/smtpd[2270]: timeout after END-OF-MESSAGE from localhost[127.0.0.1]
  Jul 29 22:24:12 <servername>.l-n-l.com postfix/smtpd[2270]: disconnect from localhost[127.0.0.1]
  Meanwhile: Mac clients are able to connect to smptd submission port to send mail with no problems. Based on what the logs say, it appears that the Mac mail is using a different authentication mechanism.
  Client config for outbound server is "use custom port: 587, Use SSL:Checked, Authentication: MD5 Challenge-Response"
  Jul 29 22:19:12 <servername>.l-n-l.com postfix/smtpd[2261]: connect from <Mac Client Name>[<MacClientAddr>]
  Jul 29 22:19:12 <servername>.l-n-l.com postfix/smtpd[2261]: 721FCEC991: client=<Mac Client Name>[<MacClientAddr>], sasl_method=CRAM-MD5, sasl_username=<username>@l-n-l.com
  Jul 29 22:19:12 <servername>.l-n-l.com postfix/cleanup[2267]: 721FCEC991: message-id=<[email protected]>
  Jul 29 22:19:12 <servername>.l-n-l.com postfix/qmgr[1800]: 721FCEC991: from=<[email protected]>, size=573, nrcpt=1 (queue active)
  Jul 29 22:19:12 <servername>.l-n-l.compostfix/smtpd[2270]: connect from localhost[127.0.0.1]
  Jul 29 22:19:12 <servername>.l-n-l.com postfix/smtpd[2270]: E722AEC9A0: client=localhost[127.0.0.1]
  Jul 29 22:19:12 <servername>.l-n-l.com postfix/cleanup[2267]: E722AEC9A0: message-id=<[email protected]>
  Jul 29 22:19:12 <servername>.l-n-l.com postfix/qmgr[1800]: E722AEC9A0: from=<[email protected]>, size=994, nrcpt=1 (queue active)
  Jul 29 22:19:12 <servername>.l-n-l.com postfix/smtp[2268]: 721FCEC991: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.55, delays=0.06/0.01/0.01/0.48, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as E722AEC9A0)
  Jul 29 22:19:12 <servername>.l-n-l.com postfix/qmgr[1800]: 721FCEC991: removed
  Jul 29 22:19:13 <servername>.l-n-l.com postfix/pipe[2273]: E722AEC9A0: to=<[email protected]>, relay=dovecot, delay=0.13, delays=0/0.01/0/0.12, dsn=2.0.0, status=sent (delivered via dovecot service)
  Jul 29 22:19:13 <servername>.l-n-l.com postfix/qmgr[1800]: E722AEC9A0: removed
  Jul 29 22:20:12 <servername>.l-n-l.com postfix/smtpd[2261]: disconnect from <Mac Client Name>[<MacClientAddr>]
  Running OS X 10.8.4 with Server 2.2.1.
  Any thoughts on what I need to do to make OSX Server mail play nice with Outlook over the submission port?
  Thanks in advance!!

  Ok - so I think I have it almost all sussed. So for all 3 of you who might be reading this, here is what is going on.
  1) As I expected, this has nothing to do with the FQDN/Outlook problem. I actually rejoiced when I finally got far enough to have that problem with my Outlook 2007 and 2010 clients. And I don't like the recommended fix for that either. There is another way - more on that in a minute.
  2) This problem was all about authentication methods. At present, I have OS X Mail Server set for plain text and APOP only. I will be working to fix this soon - but at present I am unable to find any other combination that permits both Mac Mail and Outlook clients to authenticate properly. Mac Mail wants to use CRAM-MD5 by default. Outlook is so incompatible with CRAM-MD5 that even when there are other authentication methods available on the mail server, if CRAM-MD5 is selected on the Server then Outlook fails miserably no matter how you configure the Outlook client. Caveat: this is my own observation and I still have some experimenting to do. If you know otherwise (or can confirm more definitively), then please speak up!
  So here is the working configuration at present:
     A) Mail Server authentication set to Custom with PlainText and APOP selected, all others blank.
     B) Firewall permits inbound from ports 25 (for mail from "outside"), 587 (submission for authenticated users, TLS) 993 (SSL IMAP), and 995 (SSL POP).
     C) Mac POP Clients:
        i) For retrieval (POP) In advanced settings, use Port 995, Check "Use SSL", Select APOP for authentication.
        ii) For submission (SMTP) : Set port 587 (only), Set Authentication to "Password"
      D) Outlook 2007,2010,2013 clients
         i) For retrieval (POP), Set "Require secure logon using SPA"
        ii) In "More Settings/Outgoing Server" set it to require authentication with same credentials as inbound
       iii) In "More Settings/Advanced"
           a) Turn on Encryption for the POP3, this should change the port to 995 automatically. If it does not, fix that too.
           b) Set outgoing server to 587
           c) Set TLS for the encryption type (nothing else will work here)
  Once you do 2.A, 2.B, 2.D, you will THEN, finally encounter the FQDN problem.
  3) So Apple and a lot of folks here in the forums resolve the FQDN problem by removing one of the restrictions:
      Remove "reject_non_fqdn_helo_hostname" from "smtpd_helo_restrictions" in your postfix main.cf file.
  I have at least 2 problems with this:
     A) It removes yet another little bit of security from the setup
     B) It involves non-GUI changes to the config...which is dangerous if you use the GUI, as changes within the GUI will often result in overwrites to your changes outside the GUI. So you can easily lose this fix without being aware of it until one of your Outlook users starts screaming.
  The problem is really with Outlook and Windows not sending the FQDN in the first place. So how about we force them to do that instead? It turns out not to be too hard. I found a thread somewhere that goes into this and it works. Further, the solution remains on through reboots AND also can be made part of an automated deployment of a standard config. The only gotcha is you have to edit the registry...so you have to be careful. You only need to do this ONCE though, and the two entries are easy to find.
    C) Under HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/Tcpip/Parameters
         i) Set Hostname to the FQDN of your host (replace HOST with HOST.domain.com - or .net, or whatever)
        ii) Set NV Hostname to the FQDN of your host
        iii) Close Regedit and Reboot to have the changes take effect
  Once you do this, the FQDN problem for Outlook users goes away.
  So I am looking for suggestions to make the SMTP submission more secure. Aside from that, things are working - and I have had to make ZERO changes to config files outside of the Server GUI - a plus as far as I am concerned.

• Problem: SMTP Authenticated Users Blocked By RealTime Blacklists

  Running Server 10.5.2
  I have the following RTBLs in the server setup
  bl.spamcop.net
  zen.spamhaus.org
  I have several remote users on cable connections who connect to the SMTP service and authenticate using their login and password. When they try to send email, the RTBLs block them from being able to relay mail even though they are authenticated users.
  Shouldn't Authenticated users bypass any RTBLs which are defined?
  Is there any way to fix this major program (Major problem for me anyways)?
  Message was edited by: ch0b1ts2600

  You can add the IP of you remote users to the list at 'Accept SMTP relays from these hosts and networks' under the Mail > Relays tab of Server Admin. Unfortunately for those users with dynamic IP addresses you may find yourself inserting a range of IPs like "66.214.80.0/20".
  It's a lot easier than constantly trying to remove their IP from the Spamhaus RBL list.

• Cannot send email via ActiveSync when user connect from Internet (Exchange 2010 SP3 RU5)

  Hi All. 
  This is the first time I encounter this kind of issue, whenever user connect from the internet they cannot send email from their Phone or Windows Mail App, but they can retrieve email 
  But when they connect from Internal Network they can send email. I already test ActiveSync from internet using www.testexchangeconnectivity.com and it pass all tests. 
  I also check the Firewall and all the necessary ports already opened (we even open all ports) , the default TTL on the firewall 3600 second. 
  From what I read ActiveSync use some kind of HTTP POST or in MS terminology "PING" command, but still have no idea what kind of configuration that should be made to the Firewall so it can pass this "PING" command. Because from what I
  see in Android Logcat the problem always related to this PING command 
  10-07 08:12:38.714 I/Exchange(31971): Interrupt with reason 1
  10-07 08:12:38.714 I/Exchange(31971): Ping task ending with status: -1
  10-07 08:12:38.904 D/Exchange(31971): created outputstream
  10-07 08:12:39.204 W/Exchange(31971): IOException sending mail
  10-07 08:12:39.204 E/Exchange(31971): Generic error for operation SendMail: status 200, result -100
  10-07 08:12:39.204 W/Exchange(31971): Aborting outbox sync for error -99
  10-07 08:12:39.274 I/Exchange(31971): Ping task starting for 3
  10-07 08:12:39.304 D/SyncManager(644): failed sync operation [email protected] u0 (com.android.exchange), com.android.email.provider, USER, latestRunTime 71219435, EXPEDITED, reason: 10040, SyncResult: stats [ numIoExceptions: 1]
  10-07 08:12:39.304 D/SyncManager(644): not retrying sync operation because SYNC_EXTRAS_DO_NOT_RETRY was specified [email protected]  u0 (com.android.exchange), com.android.email.provider, USER, latestRunTime 71220078, EXPEDITED, reason: 10040

  Hi ronaldosy,
  How about the work flow of Outlook or OWA on PC internally/externally?
  If only phone has this issue, I suggest ask ActiveSync Forum for help so that you can get more professional suggestions. For your convenience:
  http://social.technet.microsoft.com/Forums/exchange/en-US/home?forum=exchangesvrmobility
  Best Regards,
  Allen Wang

• How can I stop authenticated users from getting other user's information?

  We recently discovered that it is possible for authenticated users, via KMu2019s details view, to view details about the other users that have access to the same resource as you.  Our portal (7.0 sp15) is used for an external facing web site.  We have secured it against anonymous users but the problem still remains for authenticated users.  Here is an example:
  The KM folder documents\Public Documents has been assigned read permissions for the group Everyone.  An authenticated user can open the URL https://<host>/irj/go/km/navigation/documents/Public%20Documents and a list of folders are shown.  The user can then select the Details from the menu for one of the folders and the Details iview is displayed.  They then select the menu item Settings > Permissions and the users/groups/roles assigned to this folder are shown.  The user can then select a user and view that users name and email address or the user could select a group and view for each member of the group the user id, name, and email address which could then be used to help attack the site.
  So I thought it would be easy enough to disable the details view for all users but content managers or administrators but I seem to running into difficulty. 
  I tried disabling the Details KM command with limited success.  Even with it disabled, if you know the URL for the details component you can still access it.  So it seems the better option is to take away access to the details component.  It seems that the users are getting access to the Details iView from the standard eu_role.  If I remove the iView from this role then all user have no access to the Details in KM.  I tried to add the iView to another role that content managers would have but when logged in with a user that had that other role I still was not able to access the Details iView. 
  This SAP Help document [http://help.sap.com/saphelp_nw70/helpdata/en/47/f0f7415e639c39e10000000a155106/frameset.htm |http://help.sap.com/saphelp_nw70/helpdata/en/47/f0f7415e639c39e10000000a155106/frameset.htm ]discusses the eu_role(Standard User role) and it states that
  By default, the Everyone group is assigned to the Standard User role. If you choose to use the other every user roles instead, you need to remove these assignments from the Standard User role and apply them to the Every User Core and Control Center User roles.
    But, when I look at what groups the role is assigned to or what roles are assigned to the Everyone group they donu2019t appear to be linked contrary to what the documentation says.  So, what Iu2019m thinking here is that I can create a copy of this role and remove the Details iView from the original and then assign the copy to the content managers and administrators.  Doing this causes all users to lose access, even the content managers.
  I thought Iu2019d give the Security Zones a try to see if this could help me but when I take away rights from here it still allows access.
  Iu2019m stumped.  Iu2019m sure there is some key piece that eludes me.  What can I do to allow users read only access to some KM folders and files while preventing them from viewing the permission/user details?

  The only 3d party apps are Hazel...
  And that's your problem!
  From the Hazel site's description:
  Hazel watches whatever folders you tell it to, automatically organizing your files according to the rules you create.
  Hazel, is a prefPane so you must have some rule (or it supplied the rule as a default) to put pictures (jpg's) from your Desktop (folder) into your Pictures folder.
  Open your System Preferences and Hazel in there and either turn off Hazel or change or delete the appropriate rule covering this situation.

• I receive e-mail attachments " win mail.dat" from iPhones and iPads.All I can find is that Outlook users send these e-mails. I found "letter opener" and it helps but I'd rather receive jpeg in stead from my Apple friends

  Last week I suddenly started receiving all e-mails with photo attachments from other iPad and iPhone users (on my iMac, iPhone as well as iPad!)  as " winmail.dat" files. It says everywhere that that is caused by Outlook users sending RTF e-mails. Obviousely that is not the case here. I found an app to open the attachments, but of course that is no real solution. I asked Android and MS Outlook users to send me e-mails with JPEG attachments and the arrive aas they should.
  Does anyone know the answer to this?
  Jos Korver

  By the way, some non-delivery receipts (NDRs) are themselves spam messages with malicious attachments designed to infect your computer, so be cautious about opening any of those.

• Cannot prevent authenticated users from creating a blog on "My Page"

  I have a brand new Snow Leopard (10.6.1) 2.26 Ghz quad core Xserve with 12Gb RAM that will be used for web collaboration services. I've currently set up Wiki and Blog services with a group membership to allow creating wikis/blogs. The reason for this is for staff development purposes with the plan to add people into the group as they are trained. The process to set it all up was very simple, however, I'm having an issue preventing authenticated users from creating a personal blog. Although I can prevent the creation of wiki's to members of a group easily, any authenticated user on the server can log into "My Page" and will be able to create a blog. I've gone to server admin>choose the server>choose the "access" icon and set the column "for selected services below" (blog) to "allow only users and groups below" (the group) and it still doesn't prevent them from making a blog page. In WGM for the group on the "Basic" tab, the "enable the following services for this group" has only the choice of "none" and therefore since the site isn't showing as a choice, the Wiki, Blog, Calendar and Mailing List is grayed out. I've seen another thread that states in 10.6 that option for setting the service acl in the group settings of WGM is unavailable. Does anyone know a fix for my problem of security access for a "My Page" blog or is it a possible bug in Snow Leopard? Right now my only workaround is to remove the users access and enable it as they are trained. This isn't an ideal fix, however, because we have some users who want to limit their wiki or blog to authenticated users only, not public access. Any help will be greatly appreciated.
  Message was edited by: dstrollo.il

  Ran into this same issue.... Talked with a field engineer who confirmed the behavior. The question now is this a defect or "feature that does not work as as the audience desires". As I far can tell, the security setting for blogs in server admin does nothing at all. This has the potential to cause a few issues as you cannot limit who can have a blog.
  Message was edited by: jlindler

• 10.6.1 Server - cannot prevent authenticated users from creating a blog

  I have a brand new Snow Leopard (10.6.1) 2.26 Ghz quad core Xserve with 12Gb RAM that will be used for web collaboration services. I've currently set up Wiki and Blog services with a group membership to allow creating wikis/blogs. The reason for this is for staff development purposes with the plan to add people into the group as they are trained. The process to set it all up was very simple, however, I'm having an issue preventing authenticated users from creating a personal blog. Although I can prevent the creation of wiki's to members of a group easily, any authenticated user on the server can log into "My Page" and will be able to create a blog. I've gone to server admin>choose the server>choose the "access" icon and set the column "for selected services below" (blog) to "allow only users and groups below" (the group) and it still doesn't prevent them from making a blog page. In WGM for the group on the "Basic" tab, the "enable the following services for this group" has only the choice of "none" and therefore since the site isn't showing as a choice, the Wiki, Blog, Calendar and Mailing List is grayed out. I've seen another thread that states in 10.6 that option for setting the service acl in the group settings of WGM is unavailable. Does anyone know a fix for my problem of security access for a "My Page" blog or is it a possible bug in Snow Leopard? Right now my only workaround is to remove the users access and enable it as they are trained. This isn't an ideal fix, however, because we have some users who want to limit their wiki or blog to authenticated users only, not public access. Any help will be greatly appreciated.

  Thanks for the suggestion, but that would prevent all users from creating personal blogs. I was hoping to be able to have a group of users that can create a personal blog outside of the blog attached to a wiki.

• Authenticated Users & Users missing from Root

  Hello,
  Environment: MDT 2013, 2008 R2, Windows 7 x86.  MDT is located on Windows 7 x86 and is not integrated with SCCM or WDS.
  Process: Separate build, capture, and deployment task sequences.
  Problem:  After deployment the Authenticated Users and local Users are missing from the root (e.g., c:).  The only security permissions assigned to the root are SYSTEM, domain account, Local Administrator.
  This causes problems once joined to a domain due to the fact Authenticated Users have no permissions forcing a given user to have a temporary account.  So far, only a partial workaround is identified and is undesirable in the long-run.  The workaround
  is to manually add Authenticated Users as well as the Local Users to the root and delete the domain account but the system will only allow partial inheritance through the file structure.  Delete all entries for a particular user in the registry (e.g.,
  PolicyGUID, ProfileGUID, ProfileList).  Afterwards, log in to the machine with an account within the domain administrator group.
  Additional information shows the registry Profilelist entries for a user maintains partial access with a value of 204; this includes the user and a domain account within the administrator group.  The domain account present after deployment has a value
  of 0.  Two accounts have the expected value of 256 and they are the local and domain administrator account.
  Also, if the same image is deployed using the PE environment the accounts are as they should be.  The groups added are: Authenticated Users, Localmachine\Users, SYSTEM, Localmachine\Administrators.
  The questions are: why would the Authenticated Users and Local Users accounts be missing?  Why is the account used to deploy added?
  Help is very appreciated, and thank you.

  Hello, Nicholas the sysprep and capture is completed by a default template from MDT LTI sequence.  The answer file used is the default provided by MDT.  No attempt is made to capture from winpe because this simply negates the point of the MDT process. 
  However, applying the same image from winpe there are no permission issues and all the appropriate groups are assigned to the root.
  With returning to the office this fine morning, I ran icacls on a machine:
  C:\Users\Administrator>icacls c:\
  c:\ No mapping between account names and security IDs was done.
  (I)(OI)(CI)(F)
  BUILTIN\Administrators:(I)(OI)(CI)(F)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
  Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
  Successfully processed 1 files; Failed processing 0 files
  Thank you for the continued effort, Nicholas.  With the additional icacls information I will delve into the general error provided.

• Hotmail users don't see pictures send from program "mail" on Mac

  I'm using "mail" (i.e. Mac's standard mail program) under Mac OS 10.6.8 and whenever I want to put image files (like JPEG or PNG  documents [*]) in attachment it includes it right in the text body of the mail itself… resulting in red crosses if the recipient uses hotmail.
  [*] even PDF documents are plainly SHOWN instead of having it as an attachment! Grrrr…
  • Anyone who can tell me how to avoid including documents in the text body of the mail (and thus to keep it as a separate attachment)?
  • Anyone who can tell me how to help hotmail users on PC to view images coming from a Mac sender?
  THANKS

  I was having the same problem; but I've found a workaround that might help. Here's what to do:
  Set up your iCloud account on your iPhone/iPad with whichever email address you want as your main one; either .me or .mac.
  Set up a Gmail account if you don't already have one. It doesn't matter if you don't ever intend you use it for sending email.
  Go to your 'Mail, Contacts, Calendars' settings on your iPhone/iPad, and add the Gmail account if you don't already have one set up.
  Go into your Gmail settings and under 'Account' list all the email addresses you want  want to send from as your secondary option. In my case, I had already set up iCloud with .mac so I've listed the .me one in my Gmail settings. Put a comma and space between each email address. I've got three email addresses listed here. (See screen grab). Oddly, I didn't seem to have the comma key available on my iPad, so I listed my email addresses in 'Notes' and cut/pasted them in.
  Now when you send an email, you should have all those addresses available to send from.
  Hope this helps.
  Tom.

• Thunderbird keeps returning an error "no such user" when I try to send from some email addresses even though I know that is false.

  emails will not send from @protranscript.net domain addresses, even though they receive just fine. The program keeps saying that the server says there is no such user, even when I try and email myself!

  "An error occurred while sending mail. The mail server responded: <[email protected]> No such user here. Please check the message recipient [email protected] and try again." I know for a fact that email exists because it is the one your reply came to, lol.

• Proxy login from externally authenticated user

  Hi Experts,
  I created an externally authenticated user in database. And can login without password with below syntax.
  SQL> connect / @TESTDB
  Connected.
  SQL> show user;
  USER is "SCOTT"
  This scott user has a proxy permission to another DBuser PROXY_USER.
  I got the syntax but that works only from Database OS.
  sqlplus [proxy_user]/
  SQL*Plus: Release 11.1.0.6.0 Production on Mon Nov 15 16:28:47 2010
  Copyright (c) 1982, 2010, Oracle. All rights reserved.
  Connected to:
  Oracle Database 11g Release 11.1.0.6.0 - 64bit Production
  I can connect as externally authenticated user from windows CLIENT running on Release 10.2.0.1.0
  SQL> connect / @TESTDB
  Connected.
  But the above mentioned Proxy connectivity syntax fails with below from CLIENT
  SQL> connect [proxy_user]/ @TESTDB
  SP2-0306: Invalid option.
  Usage: CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
  where <logon> ::= <username>[<password>][@<connect_identifier>] | /
  But the same syntax works from Database OS!
  I can login from TOAD but can't login from SQLDEVELOPER or SQLPLUS
  My sqldeveloper version is:
  Version 2.1.1.64
  Build MAIN-64.45
  and sqlplus is:
  SQL*Plus: Release 10.2.0.1.0
  Any idea?
  Thanks.
  Edited by: Nadvi on Nov 18, 2010 3:09 PM

  Hi Nadvi
  If you get SQLPLUS working SQLDeveloper (thick jdbc/oci/instant client) is certainly worth trying.
  I am not sure what is the issue with your setup the proxy usecases I am familiar with are:
  Through the SQLDeveloper ui
  There are two ways of doing proxy logins:
  where p1 is proxy user and c1 is proxy client:
  1/single session method (if no 2nd password or distinguished name required)
  on main connection popup
  user: p1[c1]
  password: p1
  2/Two session method
  Main Connection popup
  user: p1
  password p1
  popup connection authentication
  proxy client: c1
  none or password or distinguished name
  -Turloch
  SQLDeveloper Team